VYPR
Vendor

Rustfs

Products
1
CVEs
20
Across products
20
Status
Private

Products

1

Recent CVEs

20
  • CVE-2026-45039CriMay 28, 2026
    risk 0.64cvss 9.8epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in…

  • CVE-2026-45043CriMay 29, 2026
    risk 0.60cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user…

  • CVE-2026-45044HigMay 28, 2026
    risk 0.57cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials.…

  • CVE-2026-40937HigApr 22, 2026
    risk 0.54cvss 8.3epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token),…

  • CVE-2026-45041HigMay 28, 2026
    risk 0.50cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key…

  • CVE-2026-45042HigMay 28, 2026
    risk 0.46cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation…

  • CVE-2026-47136MedMay 28, 2026
    risk 0.45cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON…

  • CVE-2026-46685MedMay 28, 2026
    risk 0.39cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets…

  • CVE-2026-45040MedMay 28, 2026
    risk 0.34cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT…

  • CVE-2026-39360MedApr 7, 2026
    risk 0.28cvss 4.3epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by…

  • CVE-2026-27822Feb 25, 2026
    risk 0.00cvss epss 0.06

    RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF…

  • CVE-2026-27607Feb 25, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type…

  • CVE-2026-24762Feb 3, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log…

  • CVE-2026-21862Feb 3, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof…

  • CVE-2026-22782Jan 16, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In…

  • CVE-2026-22043Jan 8, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the…

  • CVE-2026-22042Jan 8, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations.…

  • CVE-2025-69255Jan 7, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of…

  • CVE-2025-68705Jan 7, 2026
    risk 0.00cvss epss 0.07

    RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79.

  • CVE-2025-68926Dec 30, 2025
    risk 0.00cvss epss 0.29

    RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server…